On Sat, Jan 12, 2013 at 05:19:07PM +0200, Eren Türkay wrote:
> Hello,
> What I am aiming is listed below.
>
> 1- People in cn=managers,ou=XXXX,ou=branch should be able to add new
> user/member under "ou=people,<base dn>". (Of course, setting member
> attribute their branch "cn=members,ou=XXXX,ou=branch")
>
> 2- These managers (cn=managers,ou=XXX,ou=branch) should only be able to
> edit attributes of members registered to them. So, only people that
> are member of "cn=members,ou=XXX,ou=branch" should be edited by
> "cn=managers,ou=XXX,ou=branch".
>
> 3- Any user should be able to edit some (e.g not 'title') of his
> attributes (I've done it but I'm not sure if it can be done in a more
> elegant way. Config is attached at the end).
>
> 4- General managers should be able to edit the tree and children of
> "ou=branch,<base dn>" as well as "ou=people,<base dn>". This looks a
> bit easier compared to 1 and 2.
I have simplified ACLs and allowed a few members to edit the tree.
Instead of using such a complex one, I used a simple solution with
"group.exact". Only people in general-managers can now edit the three.
Managers of the branches are not considered (which was the complex part)
For those who will read this question in the future, the question still
remains open and hasn't been solved. I just used a simpler approach.
Regards,
Eren
--
. 73! DE TA1AET
http://linkedin.com/in/erenturkay
Attachment:
pgpLLAZN1O3ts.pgp
Description: PGP signature